Docs: add page for serving from behind proxy

[DOCS-353]: https://hasurahq.atlassian.net/browse/DOCS-353?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10606
GitOrigin-RevId: 23e39f82664a65209f58cdaa539b3f34462b381c

docs/docs/deployment/production-checklist.mdx

@@ -168,7 +168,7 @@ You can read more about this setting at
 
 Production APIs should be served over HTTPS to be secure over the network.
 
-See [Enable HTTPS](/deployment/enable-https.mdx) for details on achieving this.
+See [Enable HTTPS](/deployment/serve-behind-proxy.mdx) for details on achieving this.
 
 ## Configure a load balancer
 

docs/docs/deployment/serve-behind-proxy.mdx

@@ -1,27 +1,42 @@
 ---
-description: Secure the Hasura GraphQL endpoint
+description:
+  'Learn how to configure Hasura to run behind a proxy for enhanced security and efficient API management. This guide
+  covers setup for Nginx, Caddy, Kong, and Traefik proxies.'
 keywords:
-  - hasura
-  - docs
-  - deployment
-  - https
+  - hasura configuration
+  - proxy setup
+  - graphql engine
+  - ssl termination
+  - nginx hasura
+  - caddy proxy
+  - kong reverse proxy
+  - traefik configuration
 sidebar_position: 80
+seoFrontMatterUpdated: true
 ---
 
-# Enable HTTPS
+# Running Behind a Proxy
 
-## Setting up HTTPS
+## Introduction
 
-Hasura GraphQL Engine does not handle SSL/TLS for your API. That means,
-Hasura GraphQL Engine cannot serve your API on an HTTPS URL.
+In environments where direct internet access is restricted or for enhanced security measures, running Hasura GraphQL
+Engine behind a proxy is often a necessity. This approach is essential for enterprises that control and monitor internet
+traffic through a proxy server. By configuring Hasura to run behind a proxy, you can manage and secure access to your
+API efficiently.
 
-You should use a reverse proxy (like Nginx, Caddy, Kong, Traefik etc.)
-or the cloud provider's native load balancer SSL termination features to
-secure your API.
+While Hasura GraphQL Engine itself does not handle proxy settings, it can be configured to work seamlessly behind
+various popular proxy servers. This guide illustrates several examples for setting up a reverse proxy, such as Nginx,
+Caddy, Kong, or Traefik, to handle requests to and from your Hasura GraphQL Engine. You can find more solution-specific
+details on the proxy server's documentation.
 
-## Sample configurations
+By using a reverse proxy, you can enforce security policies, perform SSL termination, and manage traffic effectively,
+ensuring that your Hasura API remains secure and accessible within your network infrastructure.
 
-Here are a few sample configurations for some popular proxies:
+## Setting up a proxy
+
+Configuring your Hasura GraphQL Engine to work behind a proxy involves setting up the proxy server to forward requests
+to Hasura and, optionally, handle SSL/TLS termination. Here are some sample configurations for popular proxies that you
+can use as a starting point:
 
 ### [Nginx](https://nginx.org/en/docs/)
 
@@ -42,11 +57,16 @@ server {
 }
 ```
 
-Please note that setting up SSL is not covered in this guide. You can
-find more information at [Nginx docs](https://nginx.org/en/docs/http/configuring_https_servers.html).
+The example above directs Nginx to listen on ports `80` and `443` for HTTP and HTTPS requests respectively on the
+subdomain `hasura.<my-domain.com>`. The `proxy_pass` directive forwards requests to Hasura GraphQL Engine running on
+port 8080.
+
+:::info Server via a URL prefix
 
 To serve Hasura with a URL prefix instead of a separate subdomain, use `location /hasura/` or similar.
 
+:::
+
 ### [Caddy](https://caddyserver.com/)
 
 Here is a sample `Caddyfile` to proxy requests to Hasura:
@@ -57,8 +77,6 @@ hasura.<my-domain.com> {
 }
 ```
 
-Caddy has TLS provisioning built-in with Let's Encrypt or ZeroSSL. You can find the docs at [Caddy website](https://caddyserver.com/docs/automatic-https).
-
 In order to serve at a URL prefix, use the following configuration:
 
 ```bash
@@ -66,10 +84,6 @@ In order to serve at a URL prefix, use the following configuration:
   handle_path /hasura* {
     reverse_proxy localhost:8080
   }
-
-  handle {
-    # Fallback for otherwise unhandled requests
-  }
 }
 ```
 
@@ -144,6 +158,3 @@ In order to serve at a URL prefix, use the following configuration:
 
 ...
 ```
-
-Please note that setting up SSL is not covered in this guide. You can
-find more information at the [Traefik docs](https://doc.traefik.io/traefik/https/overview).

docs/docs/security/security-best-practices.mdx

@@ -45,8 +45,8 @@ access to the Hasura GraphQL Engine. SSO collaboration should be used to grant p
 key. Subsequently, implement a plan to rotate admin secrets to limit the exposure of an admin secret being shared too
 broadly.
 
-[Multiple admin secrets](/auth/authentication/multiple-admin-secrets.mdx) should be used in situations where admin secrets have
-different rotation timelines or when granting temporary access is needed.
+[Multiple admin secrets](/auth/authentication/multiple-admin-secrets.mdx) should be used in situations where admin
+secrets have different rotation timelines or when granting temporary access is needed.
 
 Leverage [allowed operations lists](https://www.graphql-code-generator.com/plugins/other/hasura-allow-list) whenever
 possible to restrict unbounded or unexpected operations from being executed against the GraphQL endpoint. Allow lists
@@ -82,7 +82,8 @@ permissions be configured correctly in order to prevent unauthorized or unintend
 - Review the [permissions summary](/deployment/production-checklist.mdx#review-the-summary) for each schema to verify
   permissions are constructed appropriately for your expected data access.
 
-- Configure an [anonymous default role](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example) in
+- Configure an
+  [anonymous default role](/auth/authorization/permissions/common-roles-auth-examples.mdx#unauthorized-users-example) in
   order to apply global security permissions. This default role should be configured similarly to any other role. This
   includes [RBAC permissions](/auth/authorization/quickstart.mdx), [API limits](/security/api-limits.mdx),
   [allowed operations lists](https://www.graphql-code-generator.com/plugins/other/hasura-allow-list) and
@@ -114,22 +115,25 @@ GraphQL Engine server.
 Hasura GraphQL Engine communicates with your data sources(s) via ODBC connection strings. This means Hasura has the same
 permissions as the provided credentials in the connection string.
 
-- Use environment variables rather than a hardcoded value when configuring the database connection string. This environment variable can then be reused in the other environments (e.g., staging or production) while containing a reference to the environment-specific database connection string.  Please see [Metadata Best Practices](/migrations-metadata-seeds/metadata-best-practices.mdx) for more information.
+- Use environment variables rather than a hardcoded value when configuring the database connection string. This
+  environment variable can then be reused in the other environments (e.g., staging or production) while containing a
+  reference to the environment-specific database connection string. Please see
+  [Metadata Best Practices](/migrations-metadata-seeds/metadata-best-practices.mdx) for more information.
 
 - Review the database permissions allocated via the provided credentials to ensure the level of access granted to Hasura
   is appropriate.
 
 - Use database connections strings with the least privileges required for API operations.
 
-- Configure [read replicas](/databases/database-config/read-replicas.mdx) to route read-only operations (queries) to one (or
-  many) read replicas.
+- Configure [read replicas](/databases/database-config/read-replicas.mdx) to route read-only operations (queries) to one
+  (or many) read replicas.
 
 ## Networking/API gateway
 
 We recommend the following HTTP layer security policies to be configured at the API gateway:
 
-- [Configure HTTPS](/deployment/enable-https.mdx) on your reverse proxy to ensure encrypted communication between your
-  client and Hasura.
+- [Configure HTTPS](/deployment/serve-behind-proxy.mdx) on your reverse proxy to ensure encrypted communication between
+  your client and Hasura.
 - Implement request and response size restrictions.
 - Restricted allowed connection time to prevent incidents such as slowloris attacks.
 - Apply both IP filtering and IP rate limiting.